PRs from forks: a solution?

For our GitHub CI we’d love to check PRs from contributors - i.e. from forks. I understand that’s currently not possible, due to security considerations.

I think I know how to do it without security issues, and even better, I think I know how you can check that people are doing it securely - and continue to prevent analysis in insecure contexts.

I will quickly describe how; once you tell me that this is a possible path forward I’m happy to implement a demo repo that allows us to make progress. But I don’t want to spend more time on SonarCloud if all I can see is dead ends :slight_smile:

Secure fork analysis

I’m talking about GitHub and C++ projects; I expect much of that can be applied elsewhere. The trick is to split the analysis (done in the target project context) from the build (done in the fork context). In our example I can CMake-configure the contribution and generate compile_commands.json in a pull_request trigger context - without any secrets. I would then store that compile_commands.json file as artifact, and have an independent job triggered by the successful conclusion of the first job. This second job picks up the artifact and runs the analysis in the context of the target project - with secrets; it will thus be able to upload the results.

Ensuring security

You can add an Action to the GitHub Actions marketplace (for extra visibility!) that checks for the github.repository_owner to be the expected one, e.g. as defined in Or you have sonar_scanner check the environment variable GITHUB_REPOSITORY_OWNER. If you detect a fork context then you issue a (very helpful, actually…) error that analysis on forks isn’t supported, and link to the doc page that explains this approach here. Else you know that the secret doesn’t actually leave the organization and there’s no reason (I hope) to prevent the analysis from being processed.

Would this be an acceptable avenue for SonarSource?

Cheers, Axel

1 Like

Hi @AxelCERN !

Thanks for digging into this and providing this idea.

Analysis of external contributions is something we want to implement in the mid-term and a long-awaited feature for many users: I added your contribution to the list, and we will for sure consider it when the time comes for us to design the solution!

Have a nice day,